AWS証明書の期限切れに注意：本日

Your AWS account has been identified as having a client (browser or application) that accessed an Amazon DynamoDB or Amazon DynamoDB Streams API in the last 30 days. The purpose of this upgrade notice is to communicate a change and actions you may need to take to continue to access these endpoints.

We will update the certificate authority(CA) for the certificates used by Amazon DynamoDB domains on May 14, 2018. At that time, the SSL/TLS certificates used by DynamoDB will be issued by Amazon Trust Services.

If your client machines already support the following CAs, no action is required:

- Amazon Root CA 1

- Starfield Services Root Certificate Authority - G2

- Starfield Class 2 Certification Authority

This upgrade notice covers the following endpoints:

Amazon DynamoDB

- dynamodb.us-east-1.amazonaws.com

- dynamodb.us-east-2.amazonaws.com

- dynamodb.us-west-1.amazonaws.com

- dynamodb.us-west-2.amazonaws.com

- dynamodb.ap-northeast-1.amazonaws.com

- dynamodb.ap-northeast-2.amazonaws.com

- dynamodb.ap-northeast-3.amazonaws.com

- dynamodb.ap-south-1.amazonaws.com

- dynamodb.ap-southeast-1.amazonaws.com

- dynamodb.ap-southeast-2.amazonaws.com

- dynamodb.ca-central-1.amazonaws.com

- dynamodb.eu-central-1.amazonaws.com

- dynamodb.eu-west-1.amazonaws.com

- dynamodb.eu-west-2.amazonaws.com

- dynamodb.eu-west-3.amazonaws.com

Amazon DynamoDB Streams

- streams.dynamodb.us-east-1.amazonaws.com

- streams.dynamodb.us-east-2.amazonaws.com

- streams.dynamodb.us-west-1.amazonaws.com

- streams.dynamodb.us-west-2.amazonaws.com

- streams.dynamodb.ap-northeast-1.amazonaws.com

- streams.dynamodb.ap-northeast-2.amazonaws.com

- streams.dynamodb.ap-south-1.amazonaws.com

- streams.dynamodb.ap-southeast-1.amazonaws.com

- streams.dynamodb.ap-southeast-2.amazonaws.com

- streams.dynamodb.ca-central-1.amazonaws.com

- streams.dynamodb.eu-central-1.amazonaws.com

- streams.dynamodb.eu-west-1.amazonaws.com

- streams.dynamodb.eu-west-2.amazonaws.com

If your clients already trust at least one of the above three CAs then they will trust our certificates and no action is required. However, if you do not already trust any of the above CAs and do not add them to your trusted CA list by May 14, 2018 at 9:00 AM PDT, HTTPS connections to the DynamoDB or DynamoDB Streams APIs will not be established. For more information about this AWS update, please visit this blog post: https://aws.amazon.com/blogs/security/how-to-prepare-for-aws-move-to-its-own-certificate-authority/

For information on the Amazon root CA see: https://www.amazontrust.com/repository/

* Testing Your Programmatic Access to DynamoDB In December 2017, we launched the EU (Paris) Region(EU-WEST-3) with secure certificates issued by Amazon Trust Services. If you access DynamoDB or DynamoDB Streams programmatically, you can call the DynamoDB API or DynamoDB Streams API in the EU (Paris) Region(EU-WEST-3) to validate that the TLS handshake succeeds. If your API calls succeed in the EU (Paris) Region(EU-WEST-3), then they will continue to work as we deploy the CA changes to other AWS Regions. The specific endpoints you need to access in such a test are:

- DynamoDB: https://dynamodb.eu-west-3.amazonaws.com

- DynamoDB Streams: https://streams.dynamodb.eu-west-3.amazonaws.com

Most AWS SDKs and CLIs ( https://aws.amazon.com/tools/ ) are not affected by the transition to the Amazon Trust Services CA. If you are using a version of the Python AWS SDK or CLI released before October 29, 2013, you must upgrade your SDK. The .NET, Java, PHP, Go, JavaScript, and C++ SDKs and CLIs do not bundle any certificates, so their certificates come from the underlying operating system. The Ruby SDK has included at least one of the required CAs since June 10, 2015. Before that date, the Ruby V2 SDK did not bundle certificates. Depending on your SDK version and retry strategy, you might observe long delays before your software receives an error indicating SSL negotiation failure.

* What to do if the Amazon Trust Services CAs are not in your trust store?

If you cannot access the DynamoDB API at https://dynamodb.eu-west-3.amazonaws.com or the DynamoDB Streams API at https://streams.dynamodb.eu-west-3.amazonaws.com and you need to upgrade your certificate bundle, you can upgrade your certificate bundle by importing at least one of the required CAs. You can find the required CAs at https://www.amazontrust.com/repository/ . Instructions for importing a root CA certificate into your certificate bundle vary, so see the documentation that came with your software if you have questions about importing a root CA certificate.

Thank you for using Amazon DynamoDB or Amazon DynamoDB Streams, and please contact AWS Support if you have any questions: https://aws.amazon.com/support

Sincerely,

Amazon Web Services

Amazon Web Services, Inc. is a subsidiary of Amazon.com, Inc. Amazon.com is a registered trademark of Amazon.com, Inc. This message was produced and distributed by Amazon Web Services Inc., 410 Terry Ave. North, Seattle, WA 98109-5210